Presented at SuriCon 2018 by Eric Leblond, OISF
Suricata 4.1 includes eBPF and XDP support. Suricata will be one of the first generic software to include these recent technologies introduced in Linux kernel. If the addition of these technologies allows Suricata to fix old problems such as multiple VLAN filtering, the main impact is in the improvement of bypass capabilities. The flow bypass can now be done at the driver level and directly in the card advanced device like Netronome. eBPF is an extension of Berkeley Packet Filter that can be programmed in a subset C and provides data structures that are shared between kernel and userspace. eBPF is used in Suricata to filter the capture socket and implement flow bypass. XDP is basically the capability to run eBPF filter in the packet path at the driver level. This allows really early filtering and some fancy tricks that will be described in the talk.
